Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12308

Reverse proxy does not work with openssl provider used

    XMLWordPrintable

Details

    • Hide

      We need to have an EAP worker and an EAP proxy servers:

      1. worker
        unzip EAP
        generate neccessary keystores in standalone/configuration directory:
        EAP - worker
        keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
        keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret
        keytool -exportcert  -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
        keytool -exportcert  -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer
        keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer
        keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer
        keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret
        keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret
        

        configure two-way ssl in EAP CLI:

        /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
        /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
        /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
        batch
        /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
        /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC)
        run-batch
        
      2. proxy
        copy client.keystore.jks and client.truststore.jks from EAP - worker to EAP - proxy standalone/configuration directory
        Configure two way ssl in EAP CLI:
        EAP - proxy
        /subsystem=elytron/key-store=twoWayKS:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-store=twoWayTS:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
        /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
        /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
        batch
        /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
        /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC)
        run-batch
        

        Configure reverse-proxy in EAP CLI:

        /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443)
        /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add()
        /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSC,scheme=https)
        /subsystem=undertow/server=default-server/host=default-host/location=\/proxy:add(handler=my-proxy)
        
      3. start EAP - worker
        ./bin/standalone.sh
        
      4. start EAP - proxy
        ./bin/standalone.sh -Djboss.socket.binding.port-offset=1000
        
      5. import certificate to your client (beware - with this configuration you actually want to import server.p12)
      6. perform request to https://localhost:9443/proxy
      7. see 503 - Service Unavailable response from proxy
      Show
      We need to have an EAP worker and an EAP proxy servers: worker unzip EAP generate neccessary keystores in standalone/configuration directory: EAP - worker keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret configure two-way ssl in EAP CLI: /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch proxy copy client.keystore.jks and client.truststore.jks from EAP - worker to EAP - proxy standalone/configuration directory Configure two way ssl in EAP CLI: EAP - proxy /subsystem=elytron/key-store=twoWayKS:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch Configure reverse-proxy in EAP CLI: /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSC,scheme=https) /subsystem=undertow/server= default -server/host= default -host/location=\/proxy:add(handler=my-proxy) start EAP - worker ./bin/standalone.sh start EAP - proxy ./bin/standalone.sh -Djboss.socket.binding.port-offset=1000 import certificate to your client (beware - with this configuration you actually want to import server.p12) perform request to https://localhost:9443/proxy see 503 - Service Unavailable response from proxy
    • Documentation (Ref Guide, User Guide, etc.)

    Description

      Reverse proxy in Undertow does not work with OpenSSL provider configured. Follow Steps to Reproduce section to configure and check error. On proxy there is following exception logged:

      18:27:26,640 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) The version of SSL in use does not support cipher ordering
      18:27:26,642 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /proxy for path /proxy
      18:27:26,643 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) The version of SSL in use does not support cipher ordering
      18:27:26,644 DEBUG [io.undertow.request] (default I/O-12) Failed to connect: java.io.IOException: java.lang.UnsupportedOperationException
              at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:328)
              at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:306)
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
              at org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:330)
              at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
      Caused by: java.lang.UnsupportedOperationException
              at org.wildfly.openssl.OpenSSLEngine.setUseClientMode(OpenSSLEngine.java:1062)
              at org.xnio.ssl.JsseSslUtils.createSSLEngine(JsseSslUtils.java:148)
              at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:321)
              ... 4 more
      

      Worker does not log anything important. When standard jsse provider is configured on proxy

      /subsystem=elytron/server-ssl-context=twoWaySSC:undefine-attribute(name=providers)
      

      proxying starts to work and one can see EAPs welcome page.

      Attachments

        Issue Links

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: